How the Symantec Endpoint Protection (SEP) clients check for the integrity of the files when receiving LiveUpdate content from Live Update Administrator (LUA) or Symantec Endpoint Protection Manager (SEPM). 

Use Case: In a scenario where the LUA/SEPM server is attacked and the definition file in the path is altered to another infected file.

The client does the integrity check for the live update content files received from LUA/SEPM using the Livetri.zip archive that gets downloaded as part of receiving live update content from LUA.

Livetri.zip archive contains the following files:

• Liveupdt.sig - These are used by LiveUpdate to verify that the package it just downloaded has not been tampered with. This is the LiveUpdate signature file. It contains a hash of liveupdt.grd. Its purpose is to prevent tampering with liveupdt.grd.
• Liveupdt.tri - Contains metadata about the update that Live Update can use to determine if it needs to download the actual update package.
• Liveupdt.grd - This is the Live Update guard file. It contains SHA1 and SHA256 hashes of liveupdt.tri file and the content update file. Its purpose is to prevent tampering with the .tri file and the update files.

The same process is applicable to the content download of LUA as well.